Ransomware has become one of Australia’s fastest-growing cyber threats in recent years, driven by new and innovative tactics that cybercriminals use to amplify the financial and disruptive impacts such attacks have on businesses across the country, the latest report from the Australian Cyber Security Centre (ACSC) has revealed.
In its annual cyber threat report, the agency disclosed that it has received almost 500 ransomware cybercrime reports during the 2020-21 financial year, a 15% jump from the previous period. During the period, the department also responded to about 160 cybersecurity incidents related to ransomware.
Organisations in the professional, scientific, and technical services sector were the most targeted group, followed by those in healthcare and social assistance, manufacturing, education and training, and government. These five sectors accounted for almost half of ransomware-related incidents reported to the ACSC in the last financial year.
The agency attributed the spike to cyber criminals’ adoption of business principles.
“New business models make ransomware available to a broader range of offenders, akin to a criminal franchising arrangement,” the department wrote. “During the 2020–21 financial year, the ACSC observed an increase in professional syndicates operating ransomware-as-a-service (RaaS), which enables affiliates to use predeveloped ransomware tools to execute ransomware attacks in return for providing a percentage of the profits to the syndicate. This development has contributed to an increase in ransomware globally and enabled the targeting of a wider range of victims.”
The ACSC also saw a rise in ransomware attacks targeting “vulnerable and critical elements of society,” with payment demands ranging from thousands to millions of dollars, as access to dark web tools and services improved cybercriminals’ capabilities.
“Extortion tradecraft evolved, with criminals combining the encryption of victim networks with threats to release or on-sell stolen sensitive data and damage the victim’s reputation,” the agency added.
The ACSC defines ransomware as a “type of malware that cybercriminals use against a victim to prevent access to files or systems that are of value to the organisation until a ransom is paid.” It can cause severe reputational damage to a business and can be costly to mitigate.
The agency also detailed the five stages of how cyber actors conduct ransomware attacks against devices and systems. These are:
In a separate white paper, the ACSC laid down the different “innovations in ransomware” that cybercriminals have adopted in recent years to “incentivise victims” to make payments. These tactics include:
While there is currently no legislation in Australia directly prohibiting businesses from making ransomware payments, doing so could constitute an offence in certain circumstances.
Paying ransom can be considered giving money to criminals or knowingly funding criminal activities, including terrorism, which is in violation of the Criminal Code Act 1995 and the Anti-Money Laundering and Counter-Terrorism Financing Act 2006.
The ACSC also advised businesses to refrain from paying ransom demands as it does not guarantee that data would be unlocked and might increase the risk of the organisation being retargeted in the future.
The ACSC listed several practical tips that businesses can implement to prevent a ransomware attack from happening or mitigate its effects. Some of these strategies include:
The agency advised businesses to back-up files from computers, phones, and other devices regularly, and choose automatic back-ups where possible.
“Backups need to be kept separately from the network, on separate devices or using a cloud service,” ACSC noted. “Immediately disconnect external storage after backups are created to avoid backups also being encrypted. Ransomware can encrypt cloud back-ups if a user remains authenticated to the service, or auto-sync is enabled with local files.”
The department also recommended that businesses ensure that employees know how to restore files from back-ups and that they practice conducting restoration regularly.
Operating systems and security software should be updated automatically to fix security flaws, so it is important that users never disregard update prompts, according to ACSC.
“As with the regular back-ups, this should be done automatically where possible,” it added. “This includes ensuring internet-facing devices are configured properly, with security features enabled.”
The ACSC recommended disabling the use of Microsoft Office macros for users that do not require them and only allowing the use of digitally signed macros for all other users. The agency added that macros originating from files from the internet should be blocked and scanned using macro antivirus.
Businesses should have a plan in place to reduce the damage and impact of ransomware on their operations. This may include the development and exercising of business continuity and disaster recovery plans. Having a plan ready will enable organisations to recover quickly and help them safeguard against future incidents.
The ACSC also recommended the following measures:
A recent survey conducted by cybersecurity giant Crowdstrike has found that more than two-thirds of Australian businesses have fallen victim to a ransomware attack between 2019 and 2020. Of these, a third paid the ransom, which cost $1.25 million on average.
For businesses that will be hit by ransomware, the ACSC has this three-step advice:
According to the agency, there is no guarantee that cybercriminals will decrypt files once the ransom is paid, adding that there is a chance that files may not be even recoverable, especially when the attackers use wiper malware, which sometimes masquerades as ransomware and permanently modifies or deletes files. Further, the link provided to the victim directing them to information about payment and contacts may install further malware into their system or network.
The ACSC manages ReportCyber, an online portal where individuals, businesses, organisations, and Commonwealth entities can report cybercrime incidents. This can help prevent future attacks from happening.
Recovery from ransomware incidents is costly, both from a reputational and financial standpoint. However, early engagement of a cyber security provider may result in more timely remediation compared to internal IT teams that may not be resourced appropriately to respond. It can also pave the way for a faster return to business-as-usual operations, allowing businesses to save money in the long run.